YU Yan,GUO Shan-Qing,HUANG Hao

DOI: https://doi.org/10.3969/j.issn.1002-137X.2007.05.018

2007-01-01

Computer Science

Abstract:Existing anomaly intrusion detection algorithms based on machine learning are usually founded on the equivalent learning of all historical dataset.Therefore,the learned network behavior profiles depend on the historical data heavily,thus behavior characteristics of current network traffic can not be represented exactly.At the same time,the network packets which arrive persistently with high speed and large volume can not be stored and maintained in time because of the high time and space complexity of the anomaly intrusion detection algorithms.So,a kind of two-phase intrusion detection method based on data stream clustering is presented.In the method,the statistical information of the network traffic are collected and generated on line firstly.Then the statistical information which can represent current network situation nicely are used to detect the intrusions.Accordingly,the influence of historical data can be reduced.The empirical results manifest that such a two-phase intrusion detection method has better detection performance than that based on all historical data,as well as resolves the problems of insufficient system resources,such as memory,etc.,to improve the flexibility and concurrency of system.

Yitong Liu,Caiyun Liu,Jun Li,Yan Sun

DOI: https://doi.org/10.1007/978-981-97-2757-5_49

2024-01-01

Abstract:In today's information age, with the rapid development of network technology and a large number of applications of sensors in daily life. The number of various types of data has shown a great growth. These data not only bring us convenience and benefits, but also pose a great challenge to us, that is, how to explore the information of the data and effectively analyze the specific significance contained in the data has become a hot research direction. In the large amount of data obtained, most of the data are in the normal state and only represent the basic "value" information. Compared with the data in the normal state, the information carried by a small part of the data is more worthy of attention. The emergence of these data is the so-called "exception". The occurrence of exceptions indicates that the system that should be running normally has changed, and these changes often have a negative impact on the system. Looking at these applications, it is not difficult to find that the actual frequency of these anomalies accounts for a very small proportion compared with a large number of normal time, but its value is very huge. Therefore, real-time online anomaly detection of convective data has very important value and significance for scientific research and industrial application. In the process of this research, I have a more comprehensive and detailed understanding of the research field of "anomaly detection of stream data" through theoretical learning, apply the deep learning model to anomaly detection of stream data, and test the performance of the model through experiments. By comparing the performance of traditional anomaly detection algorithms, unsupervised and semi supervised machine learning models and neural networks such as LSTM/HTM in stream data anomaly detection, we try to find an algorithm that can detect stream data information in real time and provide anomaly alarm in time.

Xinghua Li,Mengyao Zhu,Laurence T. Yang,Mengfan Xu,Zhuo Ma,Cheng Zhong,Hui Li,Yang Xiang

DOI: https://doi.org/10.1109/tdsc.2021.3066202

2021-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Nowadays, in machine learning based intrusion detection systems, ensemble learning is a commonly adopted method to improve the detection accuracy. Unfortunately, the existing works have not considered the accumulation and reuse of historical knowledge, as well as the sensitivity of the detection model to different types of attacks, which leads to a low detection accuracy. To address the issue, this article proposes a model based on sustainable ensemble learning. In the model training stage, by taking the individual classifiers probability output and classification confidence as the training data, we build multi-class regression models such that ensemble learning adapts to different attacks. Besides, in the updating stage, an iterative updating method is presented, where the parameters and decision results of the historical model are added to the training process of the new ensemble model to realize the incremental learning. Experiment results show that the proposed model significantly outperforms the existing solutions in terms of detection accuracy, false alarm, stability and robustness.

ZHENG Jun,HU Ming-zeng,YUN Xiao-chun,ZHENG Zhong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.001

2006-01-01

Abstract:The anomaly detection algorithms of the large scale network(LSN) were required to analysis the vast network traffic of G bit level in real-time and on-the-fly.A novel monitoring mechanism of LSN anomaly detection based on the data stream approach was proposed.The main contributions included: the sketch data structure and the frequent sketch algorithm of data streams were designed for anomaly detection of LSN.Optimized query methods were designed for customizing the security monitoring and detection policy with the correlations of multi data streams.The data reduction was proposed to make it possible that the whole network traffic character could be got using a few of special data streams.The experiments of the real networking environments validate the effectivity of LSN anomaly detection methods.

Yanfang Fu,Yishuai Du,Zijian Cao,Qiang Li,Wei Xiang

DOI: https://doi.org/10.3390/electronics11060898

IF: 2.9

2022-03-14

Electronics

Abstract:With an increase in the number and types of network attacks, traditional firewalls and data encryption methods can no longer meet the needs of current network security. As a result, intrusion detection systems have been proposed to deal with network threats. The current mainstream intrusion detection algorithms are aided with machine learning but have problems of low detection rates and the need for extensive feature engineering. To address the issue of low detection accuracy, this paper proposes a model for traffic anomaly detection named a deep learning model for network intrusion detection (DLNID), which combines an attention mechanism and the bidirectional long short-term memory (Bi-LSTM) network, first extracting sequence features of data traffic through a convolutional neural network (CNN) network, then reassigning the weights of each channel through the attention mechanism, and finally using Bi-LSTM to learn the network of sequence features. In intrusion detection public data sets, there are serious imbalance data generally. To address data imbalance issues, this paper employs the method of adaptive synthetic sampling (ADASYN) for sample expansion of minority class samples, to eventually form a relatively symmetric dataset, and uses a modified stacked autoencoder for data dimensionality reduction with the objective of enhancing information fusion. DLNID is an end-to-end model, so it does not need to undergo the process of manual feature extraction. After being tested on the public benchmark dataset on network intrusion detection NSL-KDD, experimental results show that the accuracy and F1 score of this model are better than those of other comparison methods, reaching 90.73% and 89.65%, respectively.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yan Feng,Zhihai Yang,Qindong Sun,Yanxiao Liu

DOI: https://doi.org/10.3390/electronics13152953

IF: 2.9

2024-07-27

Electronics

Abstract:Anomaly detection for network traffic aims to analyze the characteristics of network traffic in order to discover unknown attacks. Currently, existing detection methods have achieved promising results against high-intensity attacks that aim to interrupt the operation of the target system. In reality, attack behaviors that are commonly exhibited are highly concealed and disruptive. In addition, the attack scales are flexible and variable. In this paper, we construct a multiscale network intrusion behavior dataset, which includes three attack scales and two multiscale attack patterns based on probability distribution. Specifically, we propose a stacked ensemble learning-based detection model for anomalous traffic (or SEDAT for short) to defend against highly concealed multiscale attacks. The model employs a random forest (RF)-based method to select features and introduces multiple base learning autoencoders (AEs) to enhance the representation of multiscale attack behaviors. In addressing the challenge of a single model's inability to capture the regularities of multiscale attack behaviors, SEDAT is capable of adapting to the complex multiscale characteristics in network traffic, enabling the prediction of network access behavior. Comparative experiments demonstrate that SEDAT exhibits superior detection capabilities in multiscale network attacks. In particular, SEDAT achieves an improvement of at least 5% accuracy over baseline methods for detecting multiscale attacks.

engineering, electrical & electronic,physics, applied,computer science, information systems

Amardeep Singh,Julian Jang-Jaccard

DOI: https://doi.org/10.48550/arXiv.2204.03779

2022-04-07

Cryptography and Security

Abstract:The massive growth of network traffic data leads to a large volume of datasets. Labeling these datasets for identifying intrusion attacks is very laborious and error-prone. Furthermore, network traffic data have complex time-varying non-linear relationships. The existing state-of-the-art intrusion detection solutions use a combination of various supervised approaches along with fused features subsets based on correlations in traffic data. These solutions often require high computational cost, manual support in fine-tuning intrusion detection models, and labeling of data that limit real-time processing of network traffic. Unsupervised solutions do reduce computational complexities and manual support for labeling data but current unsupervised solutions do not consider spatio-temporal correlations in traffic data. To address this, we propose a unified Autoencoder based on combining multi-scale convolutional neural network and long short-term memory (MSCNN-LSTM-AE) for anomaly detection in network traffic. The model first employs Multiscale Convolutional Neural Network Autoencoder (MSCNN-AE) to analyze the spatial features of the dataset, and then latent space features learned from MSCNN-AE employs Long Short-Term Memory (LSTM) based Autoencoder Network to process the temporal features. Our model further employs two Isolation Forest algorithms as error correction mechanisms to detect false positives and false negatives to improve detection accuracy. %Additionally, covariance matrices forms a Riemannian manifold that is naturally embedded with distance metrices that facilitates descriminative patterns for detecting malicious network traffic. We evaluated our model NSL-KDD, UNSW-NB15, and CICDDoS2019 dataset and showed our proposed method significantly outperforms the conventional unsupervised methods and other existing studies on the dataset.

Christopher Nixon,Mohamed Sedky,Justin Champion,Mohamed Hassan

DOI: https://doi.org/10.1016/j.eswa.2024.123439

IF: 8.5

2024-02-12

Expert Systems with Applications

Abstract:Machine learning based intrusion detection systems monitor network data streams for cyber attacks. Challenges in this space include detecting unknown attacks, adapting to changes in the data stream such as changes in underlying behavior, the human cost of labeling data to retrain the machine learning model and the processing and memory constraints of a real-time data stream. Failure to manage the aforementioned factors could result in missed attacks, degraded detection performance, unnecessary expense or delayed detection times. This research proposes a new semi-supervised network data stream anomaly detection method, Split Active Learning Anomaly Detector (SALAD), which combines our novel Adaptive Anomaly Threshold and Stochastic Anomaly Threshold with Fading Factor methods. A novel Reconstruction Error based Distance from Threshold strategy is proposed and evaluated as part of an active stream framework to demonstrate reduction in labeling costs. The proposed methods are evaluated with the KDD Cup 1999, and UNSW-NB15 data sets, using the scikit-multiflow framework. Results demonstrated that the proposed SALAD method offered equivalent performance to full labeled and alternative Naïve Bayes (NB) and Hoeffding Adaptive Tree (HAT) methods, with a labeling budget of just 20%, significantly reducing the required human expertise to annotate the network data. Processing times of the SALAD method were demonstrated to be significantly lower than NB and HAT methods, allowing for greatly improved responsiveness to attacks occurring in real time.

computer science, artificial intelligence,engineering, electrical & electronic,operations research & management science

Zachary Tauscher,Yushan Jiang,Kai Zhang,Jian Wang,Houbing Song

DOI: https://doi.org/10.48550/arXiv.2108.08394

2021-08-19

Abstract:With massive data being generated daily and the ever-increasing interconnectivity of the world's Internet infrastructures, a machine learning based intrusion detection system (IDS) has become a vital component to protect our economic and national security. In this paper, we perform a comprehensive study on NSL-KDD, a network traffic dataset, by visualizing patterns and employing different learning-based models to detect cyber attacks. Unlike previous shallow learning and deep learning models that use the single learning model approach for intrusion detection, we adopt a hierarchy strategy, in which the intrusion and normal behavior are classified firstly, and then the specific types of attacks are classified. We demonstrate the advantage of the unsupervised representation learning model in binary intrusion detection tasks. Besides, we alleviate the data imbalance problem with SVM-SMOTE oversampling technique in 4-class classification and further demonstrate the effectiveness and the drawback of the oversampling mechanism with a deep neural network as a base model.

Cryptography and Security,Machine Learning

Jin Li,Kleanthis Malialis,Marios M. Polycarpou

DOI: https://doi.org/10.1109/IJCNN54540.2023.10191328

2023-09-06

Abstract:In our digital universe nowadays, enormous amount of data are produced in a streaming manner in a variety of application areas. These data are often unlabelled. In this case, identifying infrequent events, such as anomalies, poses a great challenge. This problem becomes even more difficult in non-stationary environments, which can cause deterioration of the predictive performance of a model. To address the above challenges, the paper proposes an autoencoder-based incremental learning method with drift detection (strAEm++DD). Our proposed method strAEm++DD leverages on the advantages of both incremental learning and drift detection. We conduct an experimental study using real-world and synthetic datasets with severe or extreme class imbalance, and provide an empirical analysis of strAEm++DD. We further conduct a comparative study, showing that the proposed method significantly outperforms existing baseline and advanced methods.

Machine Learning,Systems and Control

Lijian Sun,Yun Zhou,Yanjuan Wang,Cheng Zhu,Weiming Zhang

DOI: https://doi.org/10.1109/access.2020.3029100

IF: 3.9

2020-01-01

IEEE Access

Abstract:Recently, many anomaly intrusion detection algorithms have been developed and applied in network security. These algorithms achieve high detection rate on many classical datasets. However, most of them failed to address two challenges: 1) imbalanced traffic data with limited network attack, 2) multiple data sources that are distributed in different terminals. In detail, those algorithms assume that there are sufficient network traffic data to train their models for intrusion detection. Due to the network attack traffic is always scarce in the real-world network, this assumption is difficult to satisfy in most cases. In this paper, we use Multi-Task Learning (MTL) and oversampling methods to address those challenges of network intrusion detection. Firstly, we use the MTL method to treat each terminal as a single task, and then use relevant information between different terminals to help learn every single task. Meanwhile, we use the oversampling method to overcome the minority problem of attacks. Through a series of experiments on the latest UNSW-NB15 and CICIDS2018 datasets, this paper verifies the effectiveness of MTL and oversampling methods for network intrusion detection with limited network attack data, where they achieve more than 90% detection rate in different experimental settings.

Ying Zhong,Wenqi Chen,Zhiliang Wang,Yifan Chen,Kai Wang,Yahui Li,Xia Yin,Xingang Shi,Jiahai Yang,Keqin Li

DOI: https://doi.org/10.1016/j.comnet.2019.107049

IF: 5.493

2020-01-01

Computer Networks

Abstract:Network traffic anomaly detection is an important technique of ensuring network security. However, there are usually three problems with existing machine learning based anomaly detection algorithms. First, most of the models are built for stale data sets, making them less adaptable in real-world environments; Second, most of the anomaly detection algorithms do not have the ability to learn new models again based on changes in the attack environment; Third, from the perspective of data multi-dimensionality, a single detection algorithm has a peak value and cannot be well adapted to the needs of a complex network attack environment. Thus, we propose a new anomaly detection framework, and this framework is based on the organic integration of multiple deep learning techniques. In the first step, we used the Damped Incremental Statistics algorithm to extract features from network traffic; Second, we train Autoencoder with a small amount of label data; Third, we use Autoencoder to mark the abnormal score of network traffic; Fourth, the data with the abnormal score label is used to train the LSTM; Finally, the weighted method is used to get the final abnormal score. The experimental results show that our HELAD algorithm has better adaptability and accuracy than other state of the art algorithms. (C) 2019 Published by Elsevier B.V.

Zhendong Wang,Zeyu Li,Junling Wang,Dahai Li

DOI: https://doi.org/10.1155/2021/9486949

IF: 1.968

2021-10-28

Security and Communication Networks

Abstract:The combination of deep learning and intrusion detection has become a hot topic in today’s network security. In the face of massive, high-dimensional network traffic with uneven sample distribution, how to be able to accurately detect anomalous traffic is the primary task of intrusion detection. Most research on intrusion detection systems based on network anomalous traffic detection has focused on supervised learning; however, the process of obtaining labeled data often requires a lot of time and effort, as well as the support of network experts. Therefore, it is worthwhile investigating the development of label-free self-supervised learning-based approaches called BYOL which is a simple and elegant framework with sufficiently powerful feature extraction capabilities for intrusion detection systems. In this paper, we propose a new data augmentation strategy for intrusion detection data and an intrusion detection model based on label-free self-supervised learning, using a new data augmentation strategy to introduce a perturbation enhancement model to learn invariant feature representation capability and an improved BYOL self-supervised learning method to train the UNSW-NB15 intrusion detection dataset without labels to extract network traffic feature representations. Linear evaluation on UNSW-NB15 and transfer learning on NSK-KDD, KDD CUP99, CIC IDS2017, and CIDDS_001 achieve excellent performance in all metrics.

computer science, information systems,telecommunications

Weiwei Chen,Fangang Kong,Feng Mei,Guiqin Yuan,Bo Li

DOI: https://doi.org/10.1109/bigdatasecurity.2017.56

2017-01-01

Abstract:Network Anomaly Detection plays an important part in network security. Among the state-of-the-art approaches, unsupervised anomaly detection is effective when dealing with unlabelled data. However, these approaches also suffer from high false positive rate. We observed that different methods have their own defects and advantages. Inspired by this observation, we provide a new ensemble clustering(NEC) method to detect novel anomalies. In our system,we can get higher detection rate and lower false positive rate compared with existed apporaches as verified over NSL-KDD 2009 dataset.

Mingshu He,Xiaojuan Wang,Peng Wei,Liu Yang,Yinglei Teng,Renjian Lyu

DOI: https://doi.org/10.1109/tnsm.2024.3352586

2024-01-01

IEEE Transactions on Network and Service Management

Abstract:Anomaly detection plays an essential role in network security and traffic classification. Many studies have focused on anomaly detection to improve network security, including machine learning and deep learning methods. These methods often require numerous samples and must obtain the results by classifying the entire data set, thereby limiting their inflexibility. Although transfer and multitask learning have achieved some results in the model’s transferability, these methods must manually label or reprocess the test set. These problems limit the application of previous methods in network security management. To solve these problems, we propose a transferable and adaptable network intrusion detection system (TA-NIDS) based on deep reinforcement learning. The interaction process between the agent and the environment varies every time. A small-scale data set can be used to produce many interactive processes. Therefore, robustness is guaranteed when there are few samples. Then, a reasonable reward function allows the agent to learn how to first choose outliers without classifying the entire data set. This makes the TA-NIDS more adaptable to the scene when we prioritize apparent outliers. More importantly, the original features are transformed into the state of the environment, so no requirement exists for the feature dimension. Furthermore, the general rather than the specific state of one data set makes the model transferable to other data sets. The experimental results for IDS2017, IDS2018, NSL-KDD, UNSW-NB15 and CIC-IoT2023 show that the proposed framework maintains good accuracy when prioritizing outliers and transferability are prioritized simultaneously.

computer science, information systems

Fengrui Liu,Yang Wang,Zhenyu Li,Hongtao Guan,Gaogang Xie

DOI: https://doi.org/10.1016/j.comcom.2023.06.027

IF: 5.047

2023-09-01

Computer Communications

Abstract:With the widespread use of Internet applications, ensuring the quality and reliability of online services has become increasingly important. Therefore, anomaly detection methods play a critical role in identifying potential anomalies in the data streams of infrastructure systems and service applications. However, most of known detection methods have an underlying assumption that the data streams are continuous. In practice, we learn that many real-world data streams can be sporadic. It incurs particular challenges for the task of anomaly detection, for which the common preprocessing of downsampling on sporadic data can omit potential anomalies and delay alarms. In this paper, we propose an ensemble learning-based anomaly detection method on sporadic data streams named AD 2 S . It consists of two modules: a monitor module to continuously and adaptively determine the measure windows for observations, and a detection module that utilizes an isolation partition strategy to estimate the anomaly degree of each incoming observation. Based on experimental results on eight synthetic and public real-world datasets, our method outperforms other state-of-the-art methods with an average AUC score of 0.923. Additionally, our analysis demonstrates that the proposed method has constant amortized time and space complexity, enabling once detection within an average of 9.9 ms and maximum memory usage of 26.14 KB. The code of AD 2 S is open-sourced for further research.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xianwei Gao,Chun Shan,Changzhen Hu,Zequn Niu,Zhen Liu

DOI: https://doi.org/10.1109/access.2019.2923640

IF: 3.9

2019-01-01

IEEE Access

Abstract:In recent years, advanced threat attacks are increasing, but the traditional network intrusion detection system based on feature filtering has some drawbacks which make it difficult to find new attacks in time. This paper takes NSL-KDD data set as the research object, analyses the latest progress and existing problems in the field of intrusion detection technology, and proposes an adaptive ensemble learning model. By adjusting the proportion of training data and setting up multiple decision trees, we construct a MultiTree algorithm. In order to improve the overall detection effect, we choose several base classifiers, including decision tree, random forest, kNN, DNN, and design an ensemble adaptive voting algorithm. We use NSL-KDD Test+ to verify our approach, the accuracy of the MultiTree algorithm is 84.2%, while the final accuracy of the adaptive voting algorithm reaches 85.2%. Compared with other research papers, it is proved that our ensemble model effectively improves detection accuracy. In addition, through the analysis of data, it is found that the quality of data features is an important factor to determine the detection effect. In the future, we should optimize the feature selection and preprocessing of intrusion detection data to achieve better results.

Jun Jiang,Fagui Liu,Yongheng Liu,Quan Tang,Bin Wang,Guoxiang Zhong,Weizheng Wang

DOI: https://doi.org/10.1016/j.comcom.2022.07.034

IF: 5.047

2022-01-01

Computer Communications

Abstract:With the rapid development of ambient intelligence (AmI) in the Internet of Things (IoT), many data streams are generated from sensing devices in intelligent scenarios. Due to the deployment issues of IoT devices and the system's complexity, abnormal behavior is inevitable, resulting in imbalanced data categories. Moreover, data streams generated in IoT systems are dynamic, continuous, and as the environment changes, further increasing the difficulty of anomaly detection. Therefore, we model the monitored historical and current data from the perspective of dynamic imbalanced data streams classification to discover abnormal behaviors in IoT systems. In this paper we propose a dynamic ensemble algorithm for anomaly detection in IoT environments. First the abnormal data samples are synthesized by the borderline-synthetic minority over-sampling technique (Borderline-SMOTE) to relieve the sample imbalance problem. Then considering the dynamics and continuity of data streams we adopt a chunk-based strategy to train a LightGBM classifier for each chunk of data to adapt to the current data distribution. To improve the ensemble model's processing efficiency and anomaly detection accuracy we adopt a dynamic weighting strategy for base classifiers and remove the classifier whose accuracy performance is lower than the threshold. Finally we evaluate our proposed algorithm by conducting comparative experiments on real-world data streams. Experimental results show that our proposed algorithm outperforms the comparative anomaly detection methods in IoT scenarios.

Li Cheng,Yijie Wang,Yong Zhou,Xingkong Ma

DOI: https://doi.org/10.1177/1550147718803303

IF: 1.938

2018-01-01

International Journal of Distributed Sensor Networks

Abstract:Due to the increasing arriving rate and complex relationship of behavior data streams, how to detect sequential behavior anomaly in an efficient and accurate manner has become an emerging challenge. However, most of the existing literature simply calculates the anomaly score for segmented sequence, and there is limited work going deep to investigate data stream segment and structural relationship. Moreover, existing studies cannot meet efficiency requirements because of large number of projected subsequences. In this article, we propose EADetection, an efficient and accurate sequential behavior anomaly detection approach over data streams. EADetection adopts time interval and fuzzy logic–based correlation to segment event stream adaptively based on rolling window. Through dynamic projection space–based fast pruning, large number of repeated patterns are reduced to improve detection efficiency. Meanwhile, EADetection calculates the anomaly score by top-k pattern–based abnormal scoring based on directed loop graph–based storage strategy, which ensures the accuracy of detection. Specially, we design and implement a streaming anomaly detection system based on EADetection to perform real-time detection. Extensive experiments confirm that EADetection can achieve real time and improve accuracy, significantly reduces latency by 36.8% and reduces false positive rate by 6.4% compared with existing approach.

Tamilselvan Arjunan

DOI: https://doi.org/10.22214/ijraset.2024.58946

2024-03-31

International Journal for Research in Applied Science and Engineering Technology

Abstract:Abstract: In light of the increasing sophistication of cyberattacks and the rapid growth in network traffic, it is essential to detect network traffic anomalies or intrusions as they occur. Manual inspection is inefficient due to the large volume, speed, and variety network traffic data. This paper suggests using deep learning techniques in order to build intelligent models which can detect network traffic anomalies automatically within big data environments. We present a framework for anomaly detection using long-short-term memory models (LSTM) and convolutional neural network (CNN). The models are based on data extracted from packet captures. The models are evaluated on benchmark intrusion datasets as well as a large scale real network traffic dataset. The results show that deep learning models are able to detect anomalies more effectively than traditional shallow learning methods. Models can handle high-volume streaming data with low latency and in real time. To improve detection efficiency, we also propose optimization methods such as model compression and transfer learning. This work shows the effectiveness of deep learning for real-time anomaly detection within big data environments